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Abstract 

The promise of quantum computation and its consequences for complexity-theoretic cryptography 
motivates an immediate search for cryptosystems which can be implemented with current technology, 
but which remain secure even in the presence of quantum computers. Inspired by recent negative results 
pertaining to the nonabelian hidden subgroup problem, we present here a classical algebraic function 
fv(M) of a matrix M which we believe is a one-way function secure against quantum attacks. Specifi- 
cally, inverting fy reduces naturally to solving a hidden subgroup problem over the general linear group 
(which is at least as hard as the hidden subgroup problem over the symmetric group). We also demon- 
strate a reduction from Graph Isomorphism to the problem of inverting fy; unlike Graph Isomorphism, 
however, the function fy is random self -reducible and therefore uniformly hard. 

These results suggest that, unlike Shor's algorithm for the discrete logarithm — which is, so far, the 
only successful quantum attack on a classical one-way function — quantum attacks based on the hidden 
subgroup problem are unlikely to work. We also show that reconstructing any entry of M, or the trace 
of M, with nonnegligible advantage is essentially as hard as inverting fy. Finally, fy can be efficiently 
computed and the number of output bits is less than 1 + e times the number of input bits for any e > 0. 
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1 Introduction 



When a quantum computer is finally built, perhaps its most important practical impact will be on modern 
cryptography, thanks to Shor's celebrated quantum algorithms for factoring and discrete logs MSho97l 
(and a sequence of followup results). Quantum cryptography provides a partial recourse, though its 
scope is limited by "no-go" theorems such as the impossibility of quantum bit commitment, as well 
as extravagant physical infrastructure requirements. A plausible route to a more acceptable antidote 
was suggested in a result contemporaneous with Shor's paper, showing that quantum computers require 
exponential time to invert a random permutation in a black box model |BBBV97|. Since a random 
permutation is a standard abstraction for a one-way function, this result suggested the possibility of 
creating classical cryptography that is resistant to quantum cryptanalysis. The practical challenge is to 
design a function / : S n — > S m that can be computed very efficiently by a classical computer, while 
providing credible evidence that inversion is difficult even with a quantum computer. It is also desirable 
that / be nonexpansive, i.e., that m not be much larger than n. This is the goal of this paper. 

Our task is facilitated by new insights obtained over the last few years into the limits of quantum 
algorithms for the non-abelian hidden subgroup problem (HSP). A series of negative results [HRTSOO, 
IGSVV011IMRS05B culminating in Hallgren, et al. IHMR +061 shows that for sufficiently non-abelian 
groups the HSP is hard for quantum computers in the sense that any quantum algorithm using the 
coset state framework requires exponential time unless it makes highly entangled measurements of 
f2(log \G\) registers. Very few algorithmic models for highly-entangled measurements are known; one 
of the few proposals for carrying out such measurements efficiently is a "quantum sieve," developed by 
Kuperberg [K05] for the HSP on the dihedral group. However, a recent result of Moore, Russell, and 
Sniady |MRS06| shows that no such approach yields an efficient algorithm over the symmetric groups. 
In fact, for the cases relevant to Graph Isomorphism, algorithms of this form cannot even do much bet- 
ter than the best known classical algorithms. This forms the basis of our main assumption about the 
limitations of quantum algorithms. 

Our function, which we denote fy , is parametrized by a list of vectors V = vi , V2 , ■ • • , v m ; we will 
choose each Vj independently and uniformly at random from F™, where q is some small prime. Then 
given M £ GL„(F 9 ), that is, an invertible n x n matrix over ¥ q , we define fy(M) as the collection 

MV = {Mv I v e V} . 

However, fy returns this collection as an unordered set (say, sorted in lexicographic order). In other 
words, we know that each w S fy{M) is Mv for some v e V, but we do not know with what 
permutation the vs and ws correspond. 

In Section|2] we show that fy is one-to-one with high probability in V whenever m is slightly larger 
than n, say m = n + 0(\n 2 n). Also, clearly fy can be computed very efficiently, in time M(n), the 
time to multiply two n x n matrices. As a function of the input length k = n 2 , the time is essentially 
V / M(fc). 

In Section [5] we point out that the natural reduction of inverting fy to a hidden subgroup (or hidden 
shift) problem results in hidden subgroup problems on the general linear group GL„ . This group contains 
the symmetric group S n as a subgroup, and its HSP appears resistant to all known quantum techniques. 
Moreover, we reduce the Graph Isomorphism problem to the problem of inverting fy. This implies that 
no quantum attack analogous to Shor's algorithm for the discrete logarithm can succeed, unless there is 
an efficient quantum algorithm for Graph Isomorphism. 

We stress that unlike Graph Isomorphism, for which there is no known way to generate hard random 
instances, inverting fy is uniformly hard because of the following simple observation: for any matrix 
A, we have fy(AM) = Afy(M). By choosing A randomly, this allows us to map a fixed instance 
fy (M) to a random one with the same V. It follows that, for any fixed V, if fy can be inverted on even 
a 1 /poly(n) fraction of matrices M, then there is a probabilistic algorithm that inverts it on arbitrary 
inputs M. A similar though more complicated assertion can be made about uniform hardness with 
respect to choice of V (see Section|4|i. 
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Moreover, we show in Section |4] that reconstructing partial information about fy 1 (x) is almost as 
hard as inverting fy. Specifically, assuming that fy is a one-way function, we show that any entry ofM 
is hard to recover in any basis, though this requires a quasipolynomial hardness assumption on fy. We 
observe, also, that tr M, the trace of M, is hard to recover even under typical super-polynomial hardness 
assumptions. 

It remains an open question whether we can embed a trapdoor in fy or a suitable modification. 
We should point out that there are some classical cryptosystems that are not known to be breakable 
by a quantum computer — lattice-based cryptosystems such as the Ajtai-Dwork [AD97| cryptosystem 
and their subsequent improvements due to Regev |Reg04a|, and the McEliece cryptosystem |McE78|. 
Indeed, Regev's improvement in the efficiency of lattice-based cryptosystems is based on a quantum 
reduction — thus the increased efficiency is predicated on resistance of the cryptosystem to quantum 
attacks! Evidence of quantum intractibility for this cryptosystem comes from the relationship between 
finding short vectors and the dihedral hidden subgroup problem [Reg04b|. In particular, even though sin- 



gle register Fourier sampling is information-theoretically sufficient to reconstruct the hidden subgroup, 
the classical reconstruction problem is as hard as Subset Sum. On the other hand, quantum reconstruc- 
tion is not ruled out, and Kuperberg's quantum sieve | K05 ] provides what may be thought of as a mildly 
subexponential quantum reconstruction algorithm. 

The evidence for quantum intractibility for the one-way function proposed here is stronger: single 
register Fourier sampling is provably insufficient, highly-entangled measurements on polynomially many 
registers is necessary, and no Kuperberg-like approach can yield an efficient algorithm. The design 
of efficient cryptographic primitives resistant to quantum attack is a pressing practical problem whose 
solution can have an enormous impact on the practice of cryptography long before a quantum computer 
is physically realized. A program to create such primitives must necessarily rely on insights into the 
limits of quantum algorithms, and this paper explores consequences of the strongest such insights we 
have about the limits of quantum algorithms. 

Notation. As above, we let F = ¥ q denote the finite field with q elements, q a fixed prime. We let 
GL ra (F 9 ) (abbreviated GL„ when the context is clear) denote the collection of invertible n x n matrices 
over F q . Similarly End„ = End„(F 9 ) denotes the set of all n x n matrices. If M £ End„ and V C F™, 
we let MY denote the collection {Mv | v £ V}. 

2 The function is one-to-one 

Our first theorem shows that when m is slightly larger than n, then fy is a one-to-one function with high 
probability. We have made only desultory attempts to optimize the rate at which 5 = m — n must grow 
for the theorem to hold. 

Theorem 1. There is a constant A such that ifm^n + S where S > A In 2 n, then fy is one-to-one 
with high probability in V. 

Proof. If there are two matrices M, M' such that MV = M'V, then KV = V where K = M _1 M'. 
In other words, there is a permutation ix £ S m such that Kvi = v^u) for all i. We will show that with 
high probability K = 1 is the only matrix with this property, and therefore that M = M'. 

Let us call a particular permutation it £ S m consistent if there is a K such that Kvi — v w (i) for all 
i, and let Cons^ be this event. We will show that 



Pr 



= o(l) • 

i.e., with high probability the only consistent permutation is the identity n = 1. 



Y Cons w 
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Given a fixed tt, we determine an order on V as follows. First, we sort the cycles of tt in order of 
increasing length, starting with the fixed points. We break ties by assigning each cycle an index equal to 
the smallest i such that v,; appears in it and putting cycles with the smallest index first. Then, we rotate 
each cycle so that the v, with smallest i in that cycle comes first. The details here are irrelevant; all that 
matters is that each tt determines an order on V with the properties that the vectors corresponding to 
fixed points come first, and that groups of vectors corresponding to cycles of tt are contiguous. 

Now fix a constant C, and let consist of the first n + S — C Inn vectors in V according to this 
order. Let Spans^ be the event that L v spans the entire space F™. Then the union bound gives 



Pr 



Y Cons w 



< ^2 Pr [Cons w | SpansJ + Pr 
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To bound the conditional probability P^Cons^ | Spans^], note that if L T spans the entire space, then 
K is determined by the images of the vectors in L n . Therefore, if all the vectors in L T are fixed by 
K, then K = t and tt = 1. On the other hand, we have sorted V so that the fixed vectors come first, 
so if tt 7^ 1 none of the the C In n vectors outside can be fixed. We expose these vectors in sorted 
order. For each Vj ^ which is not the first in its cycle, the probability that v$ is the image under 
K of its predecessor v^-i^j is q~ n since Vj is uniformly random. These events are independent and 
each of these cycles is of length at least 2, so the probability that K\~i = Vwj) for all v$ ^ L is at 
most g-(c/ 2 )™ ln ™. Summing over all (n + S)\ permutations tt and assuming for simplicity that 6 < n 
(a condition which we can easily remove), the conditional probability that any tt ^ 1 is consistent is at 
most 

(2n)lq^ c / 2 '> nlnn ^ n°^{2/e) 2n n^ c ^ ln ^ n 

which is o(l) if 

C > 4/ lag . (1) 

Now we bound the probability that Spans,,, fails to hold for any tt by proving that with high proba- 
bility V contains no subsets L of size n + 5 — C In n which do not span the entire space. By Markov's 
inequality, the probability that a given such L does not span the space is at most the expected number of 
nonzero vectors u which are perpendicular to all v € L. Since the v 6 V are uniformly random, for any 
fixed u the inner product u • v is zero with probability 1/g. Thus this expectation is 

Lrjn _ ]\/qTi+6-C\nn < ^-S+Clnn _ n O(l) n ~(A\n q) Inn 

where we used 5 = A In 2 n. The number of subsets of size n + 8 — C In n is 

(™1~ S ) <(2n) cln " = n°Wn cln " 
\C mnj 

where we again assume for simplicity that 5 < n. So, by the union bound, the probability that a non- 
spanning subset of size n + 5 — Clnn is at most n c K 1 )n( c ~" 41n9 ' ) lnn which is o(l) if 

A > C/lnq . (2) 

In order to satisfy ([TJ and (|2]), we set, say, C = 4/ lag and A = 5/ In 2 q. Then with high probability, 
the identity permutation 1 is the only consistent one. Finally, note that V spans the entire space with 
overwhelming probability; and in this case, if K v = v for all v in V, then K must be the identity. □ 
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3 Evidence for immunity against hidden subgroup attacks 



In this section we relate the hardness of our function to several fundamental problems in the area of 
quantum computation. Our principal hardness result, suggesting that fy can resist the quantum attacks 
which Shor applied so dramatically to factoring and discrete log, shows that Graph Isomorphism can be 
reduced to the problem of inverting fy. Our current belief, based on a series of negative results, is that 
Graph Isomorphism, and more generally the HSP on groups like S n and GL„ which have exponentially 
high-dimensional representations, is hard for quantum computers. If this belief is correct, then fy cannot 
be efficiently inverted by such methods. We observe, also, that inverting fy can be reduced to natural 
hidden shift and hidden subgroup problems on the group GL„. 

We begin by reducing the problem of inverting fy to the Hidden Shift Problem on the group GL„. 
Given a group G, an instance of a Hidden Shift problem consists of two functions f\ , f 2 : G — > S, with 
the promise that / 2 (g) = fi (gs) for some shift s e G. Now, given V and fy (M) = MV, we can define 
two functions /i, f 2 : GL„ — ► S where S is the set of unordered lists of vectors in F™. Namely, we 



Then /i(iV) = f v (N) and f 2 (N) = fy(NM) = f 1 (NM), and M is the hidden shift. 

Now, given a Hidden Shift Problem on a group G where the functions fx , f 2 are one-to-one, we can 
reduce it to a Hidden Subgroup Problem on a larger group, namely the wreath product G I Z 2 . This group 
is the semidirect product (GxG)x Z 2 , where we extend G x G with an involution which exchanges the 
two copies of G. We denote its elements (gi, g 2 , z), where those with z = form the normal subgroup 
which fixes the two copies of G, and those with z = 1 form its nontrivial coset which exchanges them. 

Recall that an instance of the Hidden Subgroup Problem consists of a function / : G — * S with the 
promise that, for some subgroup H, f{x) = f(y) if and only if x = yh for some h € H. Given a 
Hidden Shift Problem with functions /i, f 2 : G — > S, define the following function / : G I Z 2 — > S 2 : 



Now suppose that f 2 (g) = fi(gs) and let a be the involution (s _1 , s, 1). If multiplication in G I Z 2 
is defined so that (gi, g 2 ,0) • a = (g 2 s,gis~ 1 , 1), then /'s hidden subgroup is the order-2 subgroup 
H = {l,a}. (Indeed, the canonical reduction of Graph Isomorphism to the Hidden Subgroup Problem 
over S n I Z 2 is exactly of this type, where a = (7r _1 ,7r, 1) exchanges the two graphs and tt is the 
isomorphism between them.) Finally, we point out that GL 2 „ contains a copy of GL„ I Z 2 : namely, the 
subgroup consisting of matrices of the form 



where gi,g 2 € GL„ . Thus the problem of inverting fy reduces to the Hidden Shift and Hidden Subgroup 
Problems in GL„ and GL 2 „ respectively. 

Now, we give a reduction from Graph Isomorphism to the problem of inverting fy. Specifically, 
we reduce the decision problem of telling whether two graphs G\ , G 2 are isomorphic to the decision 
problem of telling, given V and W, whether there is a matrix M such that MV = W, and hence 
whether W is in the image of fy. The same construction reduces the promise problem of finding the 
isomorphism between two isomorphic graphs to the problem of finding M — fy 1 (W). 

The reduction is quite simple. Given a graph G\ with n vertices and m edges, V will consist of 
n + m vectors in F™. We identify each vertex u with a basis vector u, which we include in V, and for 
each edge (u, v) we include the vector u + v. We construct W from G 2 similarly. 

Clearly G\ = G 2 if and only if MV — W for some permutation matrix M. First we show that, if 
q > 3, any M such that MV = W is necessarily a permutation matrix. To see this, note that since each 
vertex of G\ gets mapped to a vertex or an edge of G 2 , each column of M is zero except for one or two 



define 



A (AO = NV and f 2 (N) = Nf v (M) = NMV . 



f (91,92,0) 
f (9i, 92,1) 



(h(9l),f2(92)) 
(f2(92),fl(9l)) 
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Is. But in F™ with q > 3, the sum of two such vectors has at least two nonzero components, so no edge 
of G\ can be mapped to a vertex of G2. It follows that every vertex of G\ is mapped to a vertex of G 2 , 
so M is a permutation matrix. 

In the case q = 2, it is possible that M is not a permutation matrix, and that some vertices get mapped 
to edges and vice versa. However, M's existence still implies that Gi and G2 are isomorphic, and allows 
us to easily determine the isomorphism 7r between them. Let us call a vertex of G\ "green" or "red" if 
it is mapped to a vertex or an edge, respectively, and consider a vertex w of G2. Since M^ 1 w is either 
a vertex or an edge, either there is a green vertex u such that Mu = w, or there is a red vertex u with 
a unique green neighbor v such that Mu = w + Mv and so M(u + v) = w. In either case, define 
tt{u) = w; since ir is one-to-one, it follows that every red vertex has a unique green neighbor. 

It remains to check that it is an isomorphism. Denote the set of edges of G\ and G2 as E\ and E 2 
respectively, and suppose that (u, v) e E\. If u and v are green, then M(u + v) = 7r(u) + 7r(v). If u 
is red and v is its unique green neighbor, then Mu = 7r(u) + 7r(v). Finally, if u and v are both red, they 
must have the same green neighbor t since otherwise M(u + v) would be the sum of four basis vectors; 
then M(u + v) = 7r(u) +7t(v) + 27r(t) = 7r(u) +7r(v). In each case, since 7r(u) +7r(v) e W we have 
(ir(u),w(v)) <E Ei, and this completes the proof. 

4 Uniformity of hardness, amplification, and hard-core predicates 

Self-reducibility and uniform hardness. As we pointed out in the Introduction, our function has 
a simple symmetry which causes it to be self-reducible from the worst case to the random case: for any 
fixed V, we have fy(AM) = Afv(M). It follows by standard amplification that, for any fixed V, if 
fv can be inverted on even a l/poly(n) fraction of matrices M then it can be inverted with probability 
1 - e-P 01 ^") on any particular M. 

We can define uniform hardness with respect to V using another obvious symmetry, 

f B v(M) = fv(MB) . 

Let us say that V <~ V if there is a B € GL„ such that V' = BV. This is clearly an equivalence 
relation; we will call the equivalence class containing V its orbit, and denote it [V]. Then a similar 
argument shows that inverting fv is uniformly hard within each orbit: namely, if fv can be inverted on 
even a l/poly(n) fraction of matrices M and vectors V 1 € [V] then it can be inverted with probability 
1 — e~ poly (") on any particular M and V € [V]. 

A priori, even if it is hard to invert fv, one might hope to recover partial information about M from 
its image fy(M), such as its trace or a single entry in some basis. In this section, we show that this is 
essentially as hard as recovering all of M. Therefore, under reasonable hardness assumptions regarding 
fv, these goals are also impossible for quantum computers to carry out efficiently. 

Hard-core predicates. A hard-core predicate is an efficient description of a bit of information that 
is concealed by a given one-way function. Specifically, if {/„ : D n — ► R n } is a family of one-way 
functions, then an s(n)-hard-core predicate is a polynomial time computable family of functions {b n : 
D n — > {0, 1}} so that for any algorithm A running in time s(n), for sufficiently large n, 

Pr [A(f n (w)) = b n (w)} \ 

fn,W I 

Our goal here is to show that every individual entry of M is a hard-core bit in any basis; in particular, 
recovering any entry of M is as hard as inverting fv- We also point out that recovering the trace of M 
is as hard as inverting fv- 

We begin by formalizing the notions of hardness we require for the function fv- 



1 

- s(n) 
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Assumption 1 (t(n) -hardness). For each n > 1, let m — m(n) = (1 + e)nfor some constant e > 0, 
let M be a uniformly random element of GL n (F), and let V be a collection of m independently and 
uniformly selected elements o/F n . Then for all quantum algorithms A running in time t(n), 



Pr \A(M(V),V) = M} = 




We devote the remainder of this section to showing the following two theorems. 

Theorem 2. If fv is quasipolynomially hard (that is, t(n)-hard for every t(n) = 2 log n ) then every 
entry of M (in any basis) is a quasipolynomially hard-core predicate. 

Theorem 3. If fv ' s polynomially hard (that is, t(n)-hard for every t(n) — n°^) then the trace 
tr : GL„ (F) ->FiSfl polynomially hard-core predicate. 



4.1 The bilinear predicate: every matrix entry is hard 

Given two basis vectors a and b, the corresponding matrix element can be written as an inner product 
(a, Mb) . We will show that if fv is quasipolynomially hard, then this function is a hard-core predicate 
for fv for any fixed nonzero a, b € F™. Specifically, given an algorithm P running in time 2 log0<1) n for 
which 

V,M 



Pr [P(fv(M),V) = (a, Mb)] > 1/2 + e with e = 2~ log0<1> ; 



we show how to invert fv on a 2~ log n fraction of its inputs M, which would contradicting the 
assumption that fy is quasipolynomially hard. 

To simplify the exposition, we will fix q to be 2 in this section, and write F = F2. We rely on 
the Goldreich-Levin theorem |GL89|; for larger prime q, we rely on its generalization to arbitrary finite 
fields by Goldreich, Rubinfeld, and Sudan QGRS95L 

Initially, we wish to focus attention on certain "good" choices of V, where the algorithm P is a good 
predictor for (a, Mb). Recall that [V] denotes the orbit of V under multiplication by elements of GL n . 
Define an element V to be "good" if 

It is easy to show that at least an e/2 fraction of V must be good in this sense; we fix a specific such V 
for the remainder of the proof, and show how to invert the function fv in this case. 

We first show how to use P to implement an algorithm for any fixed M, which takes as input x, y £ 
F™ (and (/y(M), V)) and outputs (x, My) correctly on 1/2 + e/2 fraction of x, y. First note that for 
two matrices A, B e GL„, the pair (f BV (AMB^ 1 ), BV) = (AMV, BV) can be computed efficiently 
from (f v (M),V) = (MV,V) by left-multiplying MV and V by A and B respectively. Defining 
T(A, B) = P(f B v(AMB- 1 ),BV), we may then rewrite © in terms of T(-, •): 



Pr \T(A, B) = (a, AMB^b)} > - 



\ ■ 



Finally, for a pair of vectors x, y S F™, define f (x, y) = T(A, B), where A and B are random elements 
of GL n (F) for which A'a = x and B _1 b = y, so that (a, AMB~ x h) = (x, My). Rewriting ©, we 
conclude: 

Pr [t(x,y) = (x,My)]>i + | . (5) 

Let us call a vector x S F" l-good if Pr yeF » [t(x, y) = (x, My)] > 1/2 + e/4. If follows that a 
uniformly selected x is £-good with probability at least e/4. Note, furthermore, that if x is a fixed £-good 
element of F™, then the Goldreich-Levin construction [GL89| can be used to determine (x, My) for 
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all y 6 F™ (in time polynomial in n and e _1 ). In particular, this determines an entire row of M when 
expressed in a basis containing x. 

We consider now a family G, consisting of 2 log m vectors selected independently and uniformly in 
F™. We say that G is ^-good if this is true of each of its elements, a favorable event that occurs with 
probability at least (e/4) log2m . Furthermore, the probability that G contains a linearly dependent set of 
vectors is no more than 2 log(m) ■ 2~ ,l+2 log m = 2 _n '™' . (This can be seen by selecting the elements of 
G in order and bounding the unlikely event that an element falls into the span of the previously chosen 
vectors.) Thus 

Pr[G is £-good A G is independent] > ( e /4) 21ogm + e -° (n) . 

Now, for each g 6 G, application of the Goldreich-Levin construction to each component of g (recon- 
structing (g, My) for all y) determines (g, Mv) for each v G V and g e G. Therefore, in this case we 
can reconstruct 2 log m "generalized rows" of M. 

Observe that if the elements of V (and hence W = M(V)) are considered to be selected indepen- 
dently and uniformly at random, and independently of G, then the probability that two elements w and 
w' of W have the property that (g,w) = (g, w') for all g e G is 2- 21ogm . Let II G : F" -> F 21ogm 
denote the projection onto the space spanned by the vectors in G. In particular, this information would 
appear to determine the bijection : V — > W effected by the action of M on V . This intuitive argu- 
ment is misleading, as written, since the notion of ^-good depends on V (and so on W) via the arbitrary 
predicting algorithm P. Instead, our goal below will be to show that the total number of permutations of 
the set W under which IIg is invariant is small enough that we can exhaustively search them to uncover 
the bijection &m and hence the linear operator M. 

Consider random (and independent) selection of G, V, and M (so that W = M(V) is also deter- 
mined) with no extra conditioning except that G be linearly independent. Let Iq denote the collection 
of permutations <j> ; M — > M with the property that Hqw — TIg4>{w), for all w € W. We will show 
below that EvAf,c;[|-^G|] = 0(y / m). Then Markov's inequality will allow us to bound the probability 
that \Iq\ exceeds e°^° gn \ To round out the proof we will show that the chance that V is good and that 
G is Z-good is much higher than this failure probability, thereby concluding that there is a significant 
chance that V is good, G is /-good and that \I G \ = e 0( - logn \ 

As the elements of w are selected independently (and uniformly) in F n , each Hgw is an independent, 
uniform element of F' G L Fixing a permutation <j), let Ai, A2, . . . be the lengths of its cycles, arranged in 
nonincreasing order. The probability that the elements of M in each of these cycles are mapped to the 
same element under Hq is no more than rij(2 _ ' G ') Ai_1 = Y\i{ m ~ 2 ) T {4')^ where t{4>) = — 1) 

is also the minimum number of transpositions required to write 4>. 

This quantity is bounded by the lemma below. Its proof uses the machinery of exponential generating 
functions, and is relegated to AppendixlAl 

Lemma 4. Let < z < 1/k; then 

qk (z)=J2z^ = 0(Vk) ^ . (6) 

In light of this bound, the expectation of \Ig\, the number of <j> under which ttq is invariant, is no 
more than 

T(0) 



As - ln(l - x) = x + x 2 /2 + x 3 /3 + . . ., we have 



(1 - 1/mY 



e 



(1 - l/m)~ m = cxp(-m + m 2 [l/m + (l/m) 2 /2 + 0(l/m 3 )]) = 0(1) 



ThusE[|J G |] =0(Vm). 
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Putting the pieces together, with M, V, and G selected as above, 



Pr [(V is good) A (G is both £-good and linearly independent)] > — • ^— J > y—j 

As Eyjv/.G[|/G|] = 0(y/m), by Markov's inequality there is a constant c so that 
Pr [|/ G | > C V^(4/e) 21ogm ] < I- 

V,M,G L J 2 

Thus, with probability at least (l/2)(e/4)( 1+21 °s m ), V is good, G is £-good, and there are (4/e)°( lo s n ) 
permutations of W that fix Hq. These permutations determine a set of no more than (4/e)°( logn ) 
mappings between V and W consistent with M; these can be exhaustively searched in time poly(n) • 
(e/4)°( logn ), which is quasipolynomial when eT 1 is. 

We conclude this section with a proof that, even if e _1 is only polynomial in n, hardness with 
respect to quasipolynomial time is the most we can hope for in the case of the bilinear predicate (in 
absence of further information about the preimage). First, choose a subspace S of F™ with dimension 
dim S — log 2 n. Now consider an oracle P(a, b) defined as follows. If either a or & is orthogonal to S, 
then P(a, b) — (a, Mb), but if neither of them is orthogonal to S, then P(a, b) is uniform in F. Since 
a uniform vector in F™ is orthogonal to S with probability 1/n, it follows that P(a, b) is correct with 
probability 1/2 + e where e > 1/n. 

Now choose a basis for F™, and let S be the subspace generated by the first dim S basis vectors. It is 
clear that this oracle gives us no information whatever regarding the matrix elements in the dim S x dim S 
minor at the upper left-hand corner of M. Therefore, we are forced to try all possible values for the 
elements of this minor by exhaustive search, and this takes 2^ dlm s ) = 2 log ™ time. 

4.2 The trace predicate 

The proof that the trace predicate is hard is a direct consequence of the Goldreich-Levin theorem HGL89I 
and its generalization to arbitrary finite fields by Goldreich, Rubinfeld, and Sudan [GRS95 1. Specifically, 
consider the trace tr : GL n (F) — > F. Suppose now that there is a polynomial-time quantum algorithm 
P so that for M selected uniformly at random in GL„ and V a collection of m independent and uniform 
vectors of F n , 

Pr r [P(/v(M),TO=tr(M)] > \ + e , 
where e = n" ^. It follows that for at least an e/2 fraction of the V, when selected as above, we have 

Pv[P(f v (M),V)=tr(M)] > ~ + | . 

We show how to invert fy for such "good" V; as these occur with probability e/2, this would contradict 
the assumption that fy is polynomially hard. For the remainder of the proof we fix a specific V satisfying 
the the equation above. 

Again note that for any matrix TV G GL„, the collection fy(NM) — NMV can be computed 
in polynomial time from fy(M), simply by left-multiplying the collection fy(M) — MV by N. In 
particular, given fy(M), the function T : GL„(F) -> F given by T(N) = P(f v (NM), V) can be 
computed in polynomial time and has the property that 

Pr[T(7V)=tr(iVM)] > i+e . (7) 

Now, for a fixed matrix C, the function lc ■ M h- > tr(CM) is a linear function and, moreover, all linear 
combinations of the entries of M can be written in this way. In light of this, note that if the guarantee (|7]i 



(j) 



1+2 log m 
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could be arranged with the matrix C being selected uniformly at random from the collection of all 
matrices (rather than the invertible ones), we could immediately apply the Goldreich-Levin |GL89| 
construction at this point to recover M. This "oracle" T can, however, be extended to an oracle T 
defined on the family of all matrices C by simply assigning random values to the singular matrices 
C £ GL„, in which case with constant probability (over the selection of random values for this oracle), 

Pr[T(JV) = tr(JVAQ] > \ + a p (n)e , (8) 

where 

= n (i - > n f 1 - 1) « - 27n 

i=0 V y ' i=0 V ' 

is the probability that a random n x n matrix over F p is invertible. In this case, when p = 2 the 
Goldreich-Levin theorem can be applied directly: 

Theorem 5 (|GL89|). Let g : F£ — ► F 2 be a function so that for some h £ Fg, Pr x6 Fj [g{x) = (x.h)] > 
i + € and let c > 0. Then there is a randomized algorithm running in time poly(n, e _1 ) (and making no 
more than poly(n, e" 1 ) black-box queries to gj that determines h with probability 1 — \/n c . 

When q > 2, one has to apply the generalization of (GL89I to arbitrary finite fields by Goldreich, 
Rubinfeld, and Sudan HGRS951 . 
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Figure 1: Two of the authors hard at work chalking up the proof of Lemma [4] on an asphalt driveway. 



A Proof of Lemma 3] 

Recall that Lemma|4]asserts that if < z < 1/fc; then 

gfc (*)= E* tw = o(Vfc) {1 f z k k)1/z ■ (9) 

Proof of Lemma® Consider the exponential generating function 



* — ' m.\ 



Using the techniques of [ Wil94 , Chapter 3], we can write this as a product over all k of contributions 
from the (A; — 1)! possible /c-cycles, including fixed points. Since each such cycle contributes k to m and 
k — 1 to t(ir), and since there are (k — 1)1 fc-cycles on a given set of k objects, it follows (cf. Figure lAl 
that 

°° fy k z k ~ 1 \ ( °° y k z k ~ 1 \ ( 1 \ 1 

g(y, z) = cxp [—^ j = cxp J = exp (- - ln(l - yz) j = {1 _ yz)1/t ■ 

Now note that e~ k g(k, z) is the expectation of q m (z), where m is Poisson-distributed with mean k. Since 
Qm(z) > 0, this expectation is at least qk(z) times the probability that m = k, which is er k k k jk\ = 
(1 — o(l))/ v27rfc. Thus we have 

< (1 + o(l))V2^fc • e- fe g(fc, z) 
which concludes the proof. □ 
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